The cybersecurity scourge of credentials theft
Date: Mon, 03/20/2017 - 14:00 Source: By Alan Zeichick, Principal Analyst at Camden Associates, where he specializes in enterprise networking, telecommunications and cybersecurity
Cybercriminals want your credentials and your employees’ credentials. When those hackers succeed in stealing that information, it can be bad for individuals – and even worse for corporations and other organizations. This is a scourge that’s bad, and it will remain bad
Kowsik Guruswamy, Chief Technology Officer at Menlo Security
Image credited to Menlo Security
Credentials come in two types. There are personal credentials, such as the login and password for an email account, bank and retirement accounts, credit-card numbers, airline membership program, online shopping and social media. When hackers manage to obtain those credentials, such as through phishing, they can steal money, order goods and services, and engage in identity theft. This can be extremely costly and inconvenient for victims, but the damage is generally contained to that one unfortunate individual.
Corporate digital credentials, on the other hand, are the keys to an organization’s network. Consider a manager, executive or information-technology worker within a typical medium-size or larger-size business. Somewhere in the organization is a database that describes that employee – and describes which digital assets that employee is authorized to use. If cybercriminals manage to steal the employee’s corporate digital credentials, the criminals can then access those same assets, without setting off any alarm bells. Why? Because they have valid credentials.
What might those assets be? Depending on the employee, it might range from everything to file servers that contain intellectual property, as pricing sheets, product blueprints, or patent applications. It might include email archives that describe business plans, or accounting servers that contain important financial information that could help competitors or allow for “insider trading.” It might be human resources data that can help the hackers attack other individuals or engage in identity theft or even blackmail. And if the stolen credentials are for individuals in the IT or information security department, the hackers can learn a great deal about the company’s technology infrastructure, perhaps including passwords to make changes to configurations, open up backdoors, or even disable security systems.
How do cybercriminals obtain those digital credentials? The most common way is to gain a foothold onto a device used by an employee and which is authorized to access the corporate network and company assets. The method of choice: General phishing emails, or highly targeted emails, called spearphishing.
“If somebody sends me an email from my favorite bank saying my account has been comprised and I happen to fall for it, enter in my user name, password, somebody is going to get my bank account. So they can do wire transfers et cetera. This is on a personal basis,” explained Kowsik Guruswamy, Chief Technology Officer at Menlo Security, whose cloud-based isolation platform protects users from malicious Internet content. “If I'm the CFO or the controller for some organization and that same thing happens to my corporate credentials, now all of the sudden it's a whole different ball game. Now they've got the company's bank account.” And if the phishing attempt installs malware on the CFO’s computer, they can do anything the CFO can do.
Phishing emails can be extremely personalized and hard to resist, added Roi Abutbul, CEO and founder of Javelin Networks, which sells solutions to protect the Active Directory from attack. “Let me ask you this. If you receive an email that appears to be from your CEO that says this is the link that you need to click in order to prepare for tomorrow’s important meeting, will you open it or not? Of course you will. One hundred percent of the time you will open it and you will do whatever the CEO said to do.”
And that email link might take you to an external site that prompts you to give up your credentials – or open a file that installs malware onto your computer, which can then use your digital identity to assess the corporate network.
Scott Scheferman, Director of Consulting of Cylance, which sells endpoint security software, agreed. “Credentials are the choke point common to every single breach. An attacker would prefer to have legitimate credentials. So once they get to the credential part of that kill chain if you will, they're off and running and they're able to use whitelisted tools and other type of normal authentication, whatever it might be, and there is no more malware so they can evade your detection systems.”
If It’s Successful Phishing, Is It a Breach?
Your CFO receives an email. He clicks the link, which opens up a website that looks like it’s the corporate bank. He types in his username and password. The cybertheft website displays an error message and redirects to the legitimate bank website. The CEO tries again, and gets into the account – and meanwhile, hackers have his username and password. Have you been breached?
“It's not really a breach,” maintains Menlo’s Guruswamy. “He just typed in his user name and password. Nobody got hacked. There wasn't this big zero day. Nothing happened. He just happened to enter the password and willingly hand the keys to somebody. There was no malware or anything involved.”
What is true is that an otherwise intelligent and highly trained individual fell for a spearphishing email, Guruswamy continued. “It's really about personalizing that information, knowing some context around whether this person is going to read it or not. So personally, I just delete all my emails that I get from people that I don't know. But every email that I take more than five seconds to read, I treasure them because they've got me. They've got my attention.”
Unfortunately, there’s not much we can do to prevent effective phishing or spearphishing, even with the latest available technology, said Stefan Lager, Vice President of Services at SecureLink, Europe’s leading security-focused technology reseller and managed security service provider (MSSP). “We can never be 100 percent able to protect against this kind of threat. We need to limit the damage if a credential is stolen and also make sure you can detect and respond quickly. As an organization, you have people, you have processes and technologies and you have protection, detection, and response. You need to have a good mix of capabilities within all these different areas.”
Credentials in Bulk
A single stolen password might unlock many digital assets. “Many people reusepasswords, and not all organizations are using two-factor authentication for accessing their external applications,” said Cylance’s Scheferman. “You put those two facts together and what you realize is that there is a massive market for the stealing and reselling of credentials.”
That’s why the huge thefts of usernames, passwords and other information is so alarming — because information is often reused, with the same password, say, for social media and online banking, or for personal and corporate email. If criminals get one, they might get them all. And if what they manage to steal is email access, they might be able to use password recovery techniques to gain access to many, many other assets, both personal and corporate.
Scheferman continued, “A lot of what we were calling breaches or compromises are actually starting outside of the organization altogether. So if somebody does a massive database dump and they grab the whole database, usernames and passwords for a common social media site or something else, those passwords are then very readily available for other purposes.”
The end result: No matter how well employees will be trained and warned, over and over again, there’s a good chance they’ll click on a realistic-looking email. Even if they don’t, their credentials could be compromised by a third-party leak, such as the recent Cloudbleed breach which exposed user information from Uber, Fitbit, OkCupid and as many as 3,400 popular websites because of a bug in Cloudflare’s web performance management system.
What can be done, from a corporate perspective, to either protect corporate digital credentials, or to mitigate the effect of credentials theft? As one would expect, everyone has an opinion.
Menlo: It’s All About Isolation and Information
“The underpinning technology behind Menlo Security is what we call isolation,” said Guruswamy. “The concept of isolation is very simple. Let's stop playing this game of trying to figure out if a particular website is good or bad. Instead, we execute it away from the user safely in the cloud. We do it in such a way that the end user has no idea that we're doing that and thereby keep a fast-responding native user experience.”
Guruswamy continued, “Specific to phishing, if you look at how phishing links come to the user and what it does, they traditionally fall into three buckets:
• “First is what we call the known bad. Everybody knows it is a phishing site, it's on some list, Google has it, other feeds have it, everybody knows it is a phishing site. You do the obvious thing, you block it.
• “The next one is what we call the known good. Like amazon.com is not a phishing site. Yes, there might be some ads that give you malware, but it's not a phishing site for sure. So there is a known good.
• “Then the grey area. If you look at the grey area, we're doing the same thing that we've been doing for the last 20 years to phishing which is trying to figure out if it is a phishing site or not.
“Menlo gives up on that three-bucket idea. It's not working. It's very difficult. Instead when people click on a link, we isolate them from whatever loads. We have certain workflows which use the training aspects of good anti-phishingbehavior and also put the website into a protective shell. It's a read-only mode. People can't type anything until they’re sure it is safe.”
So, he explained, let’s say a link opens up a web page that looks like it’s your bank. Menlo’s isolation platform blocks you from entering your password without being forced to think about it. “You've got to pause. There is training that's built into the workflow that tells the user, hey you're about to enter the password into a bank looking site. But look at the domain, it was registered two days ago. It was just registered just for you so you can type in your password. It's got these certain characteristics about it. Are you sure? So that really helps eliminate phishing, in our opinion.”
Cylance: Artificial Intelligence Aids Human Intelligence
“Cylance has tried to solve the problem in the 100 milliseconds prior to an executable executing and allow the AI to predict whether or not that file should run or not within those 100 millisecond pause, if you will,” said Scheferman.
“So in the space it takes you to blink your eye, we would look at seven files and decide whether they should be able to run or not,” he continued. “What we're using is predictive AI.”
Scheferman suggested looking at the second wave of the Shamoon 2 malware, as described in a recent report from Palo Alto Networks. “Palo Alto did an excellent exposé on what that threat actor is and motivations, the Indicators of Compromise, all these buzzwords of intelligence. However, with our AI, Cylance was actually able to prevent that pre-execution 430 days before Palo Alto's report.”
“So when we say prevention, we're literally talking days, weeks, months or sometimes years in front of when the threat actually appears,” Scheferman continued.
“Cylance uses very detailed analysis to determine if a file is good or bad, safe or malicious – even if it has never been seen before, and even if there’s no antivirus signature. That’s because Cylance’s AI doesn’t use signatures, Scheferman explained. “We break each file up into 2.7 million features to examine. So it's not just 30 features or 200 features that malware analysts understand and the rest of the whole industry, but actually millions of features that the human race doesn't even have words for. The AI software tell us about features and absences of features and combinations of features that indicate this malicious software. So, if the file is bad, the AI canmake an autonomous decision and use that 100 millisecond pause before execution to say ‘no you can't run.’ “
Javelin Networks: Protect the Microsoft Active Directory
Active Directory is an essential feature of Microsoft Domain networks. Active Directory is an essential resource available to all authenticated and credentialed users, applications and resources; it basically says who can do what, and provides the location and digital description of everything on a secure network. A challenge is that if a cybercriminal manages to take control of a credentialed user account or device, Active Directory provides a complete map of the network’s resources, applications, users, and user credentials.
“Javelin Networks protects Active Directory. That's it,” said Abutbul. “If you look at our industry, it is really focused on protecting computers, protecting web applications, protecting the network, protecting mobiles, and so on.”
However, he explained, “at the end of the day, Active Directory, which is used by nine out of ten companies around the world, is exposed by design and remains unprotected. This is our mission as a company first to drive the awareness around Active Directories.”
Abutbul described that Javelin Network’s product, called AD Protect, contains artificial intelligence that controls the attacker’s perception of locally stored credentials and the entire organization’s internal resources, including all endpoints, servers, users and applications, right at the point of breach. AD Protect learns the organization’s Active Directory structure, and uses this data to create a virtually unlimited number of new fake resources, which are then presented to the attacker. If the attacker attempts to use the fake resources, perhaps to learn about the network, or to attempt to compromise other resources, that immediately triggers an alert, and reveals the attack.
SecureLink: A Trusted Advisor and Partner
“At SecureLink, we strive to be a trusted adviser to our customers,” said Lager. “You don't become a trusted adviser if you're just shoving boxes over the fence to them. It's a responsibility for us to try and help improve the situation for our customers and not only throw them a technology all the time and make sure that when we do we invest in the right technology.”
As a reseller and MSSP, he continued, we focus our services in three different categories. First, assessment services. Things like penetration testing. We do security maturity assessment, phishing assessments, stuff like that, to try and discover where the customer really is at right now and what they need help with. “
Next, Lager said, “We can design and deploy different types of technology solutions for the customer. If they want, we can help do operation services for them as an MSSP.”
The third category is analysis and response. “Can we discover lateral movements by just looking at different events from different platforms? Can we deploy endpoints and use EDR functionality on the endpoint to things happening on the endpoints and elsewhere.”
Bottom line, Lager concluded: “Our mission is safely enabling your business. We do that with the latest type of technologies and the right people and processes.”
Information and Security Overload
Credentials theft, both on the personal and business front, is a huge issue, and it’s one that’s never going to go away, at least not in the foreseeable future. Many companies, including Cylance, Javelin Networks, Menlo Security, and SecureLink, seek to help companies solve the problem on behalf of their employees, shareholders, and customers. However, as long as there are big corporate data breaches, and as long as people click on links from insecure websites, credentials theft will always be with us.
Javelin Network’s Abutbul offered a sobering thought: “CISOs today are swamped. The security teams are overloaded with data and a lot of work that they need to do at the end of the day. Plus, they are understaffed and with limited budgets.”
Making it worse is that the battle against credentials theft is asymmetric, Abutbul concluded. ”Just look at the effort that attackers need to invest in order to penetrate and bring down an organization. Their investment in attacking the organization is small, and our investment as defending the organizationis huge.”
That’s why the battle against the scourge of credentials theft will never, ever end.